WEBVTT

00:00.000 --> 00:01.920
>> Okay, welcome back.

00:01.920 --> 00:03.360
Now we'll talk about how

00:03.360 --> 00:05.790
authentication works
on most networks.

00:05.790 --> 00:08.655
On most networks, you
have single sign-on.

00:08.655 --> 00:11.100
Basically, what that
means is I'm able to

00:11.100 --> 00:14.040
log in and provide my
credentials one time,

00:14.040 --> 00:17.040
and then I'm able to
stay on the domain or in

00:17.040 --> 00:20.265
the realm as long as my
token hasn't expired.

00:20.265 --> 00:23.765
But ultimately, I don't
have to keep logging in

00:23.765 --> 00:27.605
over and over for each
resource I want to access.

00:27.605 --> 00:30.755
For example, if I want
to use the printer,

00:30.755 --> 00:33.250
I don't have to log in again.

00:33.250 --> 00:37.135
That is thanks to a
protocol called Kerberos.

00:37.135 --> 00:40.075
It's really both a
protocol and a service.

00:40.075 --> 00:42.500
This idea of a single sign-on on

00:42.500 --> 00:44.885
our local domain
has a lot of pros.

00:44.885 --> 00:47.255
I was around in the
peer-to-peer days

00:47.255 --> 00:48.800
when you had a log on separately

00:48.800 --> 00:50.030
to every system that had

00:50.030 --> 00:52.780
a resource that you
wanted to have access to.

00:52.780 --> 00:55.250
That's a lot of
usernames and passwords

00:55.250 --> 00:58.460
>> to keep up with. We
have that on the Internet

00:58.460 --> 01:00.140
>> today for all the sites

01:00.140 --> 01:01.960
that you go on to
on the internet.

01:01.960 --> 01:04.355
But at least in our work domain,

01:04.355 --> 01:07.075
you don't have to log in
for everything separately,

01:07.075 --> 01:09.740
and you have single sign-on.

01:09.740 --> 01:12.495
It's also easier
for administrators,

01:12.495 --> 01:14.085
because there's a
single database

01:14.085 --> 01:15.595
with usernames and passwords,

01:15.595 --> 01:17.165
and is easier to create,

01:17.165 --> 01:20.350
modify, and delete
user accounts.

01:20.350 --> 01:23.090
Now, the downside is that if I

01:23.090 --> 01:25.340
have a centralized
authentication server,

01:25.340 --> 01:27.535
then you have a single
point of failure.

01:27.535 --> 01:30.050
We have to have an
environment that accepts that

01:30.050 --> 01:32.540
if I log onto the
main controller one,

01:32.540 --> 01:34.430
that it has to have
all the applications

01:34.430 --> 01:36.005
I need access to,

01:36.005 --> 01:38.180
and it needs to follow
certain standards

01:38.180 --> 01:39.730
to make that possible.

01:39.730 --> 01:43.115
The other thing is that if
someone gets my password,

01:43.115 --> 01:45.920
then they get access
to everything.

01:45.920 --> 01:48.290
But we've decided that the pros

01:48.290 --> 01:50.495
outweigh the cons with
the single sign-on.

01:50.495 --> 01:52.085
Life is much better,

01:52.085 --> 01:53.780
much easier, and more

01:53.780 --> 01:56.720
secure in a single
sign on environment.

01:56.720 --> 01:59.975
Remember that it's
Kerberos that allows

01:59.975 --> 02:03.215
us to have single sign-on
in our internal network.

02:03.215 --> 02:05.450
Then we see SAML and

02:05.450 --> 02:07.700
OpenID Connect as a
means of extending

02:07.700 --> 02:09.320
that single sign on out to

02:09.320 --> 02:12.790
other organizations with whom
we have federated trust.

02:12.790 --> 02:15.230
Then you can extend single

02:15.230 --> 02:17.810
sign-on into various tools
that you'd like to use,

02:17.810 --> 02:21.230
such as Microsoft
365, Salesforce,

02:21.230 --> 02:23.155
and all types of other tools,

02:23.155 --> 02:26.350
but let's focus on
Kerberos for now.

02:27.140 --> 02:30.845
This is a network
authentication protocol.

02:30.845 --> 02:33.440
It's going to be used in
your internal network,

02:33.440 --> 02:36.490
and it's a protocol
and a service.

02:36.490 --> 02:39.300
By the way, it uses port 88.

02:39.300 --> 02:40.940
I always remember that because

02:40.940 --> 02:42.755
there are 88 keys on a piano,

02:42.755 --> 02:47.090
and keys and Kerberos
both start with ke or ke.

02:47.090 --> 02:50.520
Maybe that will help
you remember it also.

02:50.600 --> 02:54.125
Kerberos has been
around for a long time.

02:54.125 --> 02:56.194
It uses symmetric encryption

02:56.194 --> 02:57.950
and you need to remember that.

02:57.950 --> 02:59.810
This makes sure that users and

02:59.810 --> 03:02.195
services are both authenticated.

03:02.195 --> 03:04.970
You get some mutual
authentication.

03:04.970 --> 03:07.395
It's also very time sensitive,

03:07.395 --> 03:09.140
and that's one of
the ways we minimize

03:09.140 --> 03:11.760
the risk of replay attacks.

03:12.500 --> 03:15.985
Let's talk about
how Kerberos works.

03:15.985 --> 03:18.020
I like to think
about the Carnival I

03:18.020 --> 03:19.880
used to go to when I was a kid,

03:19.880 --> 03:22.250
and how it relates to
how Kerberos works.

03:22.250 --> 03:25.550
I'm going to use that as my
analogy to help explain it.

03:25.550 --> 03:28.955
Now, once a year the
carnival would come to town,

03:28.955 --> 03:30.380
and they'd set up a big fence

03:30.380 --> 03:32.435
around where the carnival
ball was set up.

03:32.435 --> 03:34.475
That was the carnival realm,

03:34.475 --> 03:37.130
and I could not
wait to get in it.

03:37.130 --> 03:39.845
I remember that on
Wednesday nights,

03:39.845 --> 03:41.630
the admission was cheaper
because they were

03:41.630 --> 03:44.000
trying to get people
to come on that night.

03:44.000 --> 03:46.100
I would show up at the
admission booth on

03:46.100 --> 03:47.195
Wednesday night and I

03:47.195 --> 03:49.270
paid to get into
the carnival realm.

03:49.270 --> 03:52.010
That would only give me
the ability to get in,

03:52.010 --> 03:53.780
it didn't not cover the price of

03:53.780 --> 03:56.080
any rides or activities
I wanted to do.

03:56.080 --> 03:58.585
For that, you had
to buy tickets.

03:58.585 --> 04:00.980
All you got for the
price of admission was

04:00.980 --> 04:02.180
a wrist strap that they put on

04:02.180 --> 04:04.010
you to show that
you paid to get in.

04:04.010 --> 04:05.930
If you had that, you could go to

04:05.930 --> 04:07.280
the ticket booth to buy tickets

04:07.280 --> 04:09.235
for all the other things
you wanted to do.

04:09.235 --> 04:11.275
If you didn't have
a wrist strap,

04:11.275 --> 04:12.530
they wouldn't sell
you tickets to

04:12.530 --> 04:14.555
the rides and other activities.

04:14.555 --> 04:18.125
It turns out that the wrist
strap is pretty important,

04:18.125 --> 04:20.890
it proves that you came
in the proper way.

04:20.890 --> 04:24.080
Before I was old enough to
go to the carnival alone,

04:24.080 --> 04:25.940
I always went with my mom.

04:25.940 --> 04:28.370
Now, my mom is a lovely lady,

04:28.370 --> 04:30.530
but she is tight with money.

04:30.530 --> 04:33.770
As a matter of fact, I had
this vision of her going

04:33.770 --> 04:35.090
into her room and counting

04:35.090 --> 04:36.725
out her money like
Scrooge McDuck,

04:36.725 --> 04:39.685
because she is
tight with a coin.

04:39.685 --> 04:41.740
Back at the carnival,

04:41.740 --> 04:43.250
if I wanted to go on a ride,

04:43.250 --> 04:45.660
my mom wouldn't just give me
20 dollars so I could buy

04:45.660 --> 04:46.970
all the tickets I wanted and

04:46.970 --> 04:48.845
ride all the wild
rides that I wanted.

04:48.845 --> 04:50.390
No, she would give me

04:50.390 --> 04:51.890
the minimum amount that I would

04:51.890 --> 04:54.230
have to ride one
thing at a time.

04:54.230 --> 04:56.750
Each time I wanted to
ride something different,

04:56.750 --> 04:58.775
I'd have to go and ask
her for more money.

04:58.775 --> 05:00.110
Then I'd have to go back to

05:00.110 --> 05:03.070
the ticket booth to get
tickets for that ride.

05:03.070 --> 05:06.725
I only had to go through the
admission gate one time,

05:06.725 --> 05:10.415
but I had to go back to the
ticket booth many times.

05:10.415 --> 05:13.310
The point I wanted to
make here is that you

05:13.310 --> 05:16.220
come into the carnival
through the admission booth.

05:16.220 --> 05:18.350
When you come in
properly and pay

05:18.350 --> 05:20.510
your admission, you
get a wrist strap.

05:20.510 --> 05:22.580
That wrist strap proves
that you come in

05:22.580 --> 05:24.920
correctly and allows
you to buy tickets.

05:24.920 --> 05:26.825
For each ride you want to ride,

05:26.825 --> 05:28.145
you have to buy tickets.

05:28.145 --> 05:31.120
That means you may have to
go back to the ticket booth.

05:31.120 --> 05:32.870
Every time you have to show

05:32.870 --> 05:35.030
your wrist strap to
buy more tickets.

05:35.030 --> 05:37.835
That's exactly how
Kerberos works.

05:37.835 --> 05:40.500
We'll talk more about that next.